K 10 svn:author V 7 glebius K 8 svn:date V 27 2012-04-02T16:13:54.856063Z K 7 svn:log V 2090 Major step in making pf more SMP friendly. Lots of changes, that depend on each other, thus this commit couldn't be effectively split. - The RB-tree for states dropped, a hash introduced instead. Locking is per hash slot. Hash function is cheap here, it is (id % hashsize), thus slot mutex is also used to lock all states inside the slot. - The RB-tree for state keys dropped, a hash introduced instead. Locking is per hash slot. Lock order is "key hash lock", then "id hash lock". - The global list of states dropped. Traversing ID hash slots used instead. - Introduce state referencing. ID hash, pfsync, keys, each give state a reference. - pf_find_state(), pf_find_state_byid() return locked on success. - pf_unlink_state() actually frees the state, if we got the last reference. - pf_purge_expired_states() processes fraction of ID hash each second. Black magic with sx(9) lock removed. - pfsync_state_in_use() axed, generic referencing used. - The key-to-key pointer sk->reverse is temporarily disabled. Enabling it introduces LORs difficult to deal with. Also disabling it removes the m_addr_changed() hack from the TCP/IP stack. Re-introducing of this optimization should be reconsidered later. - Start on better locking in pfioctl(): acquire PF_LOCK() separately for each command, so that we can unlock them one by one, as well as work on using M_WAITOK and don't interlock for copyout(). For now the only polished command is DIOCGETSTATES. - Move some pf(4) initialization from pf_ioctl.c to pf.c, making them static. I believe only the ioctl stuff should belong to pf_ioctl.c. And probably lots of smaller changes not directly related to the above idea. I'm sorry. This code hasn't been properly tested. I just feed my test box via pfsync(4) with some live data, while the port on switch is in monitor mode, and monitors live pfsync vlan. The test box isn't forwarding anything, except its own traffic. The entire pf is still running under "pf Giant lock", since there are a lot of other things that should be locked before we can remove it. END